cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to Subversion 1.7.9 which includes the CVE patches committed earlier.

Browse Source
This commit is contained in:
stsp 2013-05-03 07:46:12 +00:00
parent c4c645927e
commit 4939ab3ee9
6 changed files with 4 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
devel/subversion/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.120 2013/04/05 14:51:35 stsp Exp $ # $OpenBSD: Makefile,v 1.121 2013/05/03 07:46:12 stsp Exp $
COMMENT-main= subversion revision control system COMMENT-main= subversion revision control system
COMMENT-perl= perl interface to subversion COMMENT-perl= perl interface to subversion
@ -7,8 +7,7 @@ COMMENT-ruby= ruby interface to subversion
COMMENT-ap2= apache2 subversion modules COMMENT-ap2= apache2 subversion modules
COMMENT-gnome-keyring= GNOME keyring support for subversion COMMENT-gnome-keyring= GNOME keyring support for subversion
VERSION= 1.7.8 VERSION= 1.7.9
REVISION= 0
DISTNAME= subversion-${VERSION} DISTNAME= subversion-${VERSION}
PKGNAME-main= ${DISTNAME} PKGNAME-main= ${DISTNAME}
FULLPKGNAME-perl= p5-SVN-${VERSION} FULLPKGNAME-perl= p5-SVN-${VERSION}

4
devel/subversion/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (subversion-1.7.8.tar.bz2) = /IPU2YzOqLe/qPXCD/9UXIuqfQNduTCXdVDFHGyiNoY= SHA256 (subversion-1.7.9.tar.bz2) = +EVMWF+Zr+12QjKlBI2bi/0KJamrjjOepp/hIExFPvQ=
SIZE (subversion-1.7.8.tar.bz2) = 6023912 SIZE (subversion-1.7.9.tar.bz2) = 6040347

104
devel/subversion/patches/patch-subversion_mod_dav_svn_deadprops_c
View File

@ -1,104 +0,0 @@
$OpenBSD: patch-subversion_mod_dav_svn_deadprops_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
CVE-2013-1845
--- subversion/mod_dav_svn/deadprops.c.orig Thu Dec 30 21:46:50 2010
+++ subversion/mod_dav_svn/deadprops.c Wed Apr 3 20:56:32 2013
@@ -168,6 +168,7 @@ save_value(dav_db *db, const dav_prop_name *name,
const char *propname;
svn_error_t *serr;
const dav_resource *resource = db->resource;
+ apr_pool_t *subpool;
/* get the repos-local name */
get_repos_propname(db, name, &propname);
@@ -202,13 +203,16 @@ save_value(dav_db *db, const dav_prop_name *name,
*/
+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
+ PROPPATCH with multiple values. */
+ subpool = svn_pool_create(db->resource->pool);
if (db->resource->baselined)
{
if (db->resource->working)
{
serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
propname, value,
- resource->pool);
+ subpool);
}
else
{
@@ -219,7 +223,7 @@ save_value(dav_db *db, const dav_prop_name *name,
TRUE, TRUE,
db->authz_read_func,
db->authz_read_baton,
- resource->pool);
+ subpool);
/* Prepare any hook failure message to get sent over the wire */
if (serr)
@@ -242,20 +246,21 @@ save_value(dav_db *db, const dav_prop_name *name,
dav_svn__operational_log(resource->info,
svn_log__change_rev_prop(
resource->info->root.rev,
- propname, resource->pool));
+ propname, subpool));
}
}
else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
{
serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value, resource->pool);
+ propname, value, subpool);
}
else
{
serr = svn_repos_fs_change_node_prop(resource->info->root.root,
get_repos_path(resource->info),
- propname, value, resource->pool);
+ propname, value, subpool);
}
+ svn_pool_destroy(subpool);
if (serr != NULL)
return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
@@ -540,6 +545,7 @@ db_remove(dav_db *db, const dav_prop_name *name)
{
svn_error_t *serr;
const char *propname;
+ apr_pool_t *subpool;
/* get the repos-local name */
get_repos_propname(db, name, &propname);
@@ -548,11 +554,15 @@ db_remove(dav_db *db, const dav_prop_name *name)
if (propname == NULL)
return NULL;
+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
+ PROPPATCH with multiple values. */
+ subpool = svn_pool_create(db->resource->pool);
+
/* Working Baseline or Working (Version) Resource */
if (db->resource->baselined)
if (db->resource->working)
serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
- propname, NULL, db->resource->pool);
+ propname, NULL, subpool);
else
/* ### VIOLATING deltaV: you can't proppatch a baseline, it's
not a working resource! But this is how we currently
@@ -564,11 +574,12 @@ db_remove(dav_db *db, const dav_prop_name *name)
propname, NULL, NULL, TRUE, TRUE,
db->authz_read_func,
db->authz_read_baton,
- db->resource->pool);
+ subpool);
else
serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
get_repos_path(db->resource->info),
- propname, NULL, db->resource->pool);
+ propname, NULL, subpool);
+ svn_pool_destroy(subpool);
if (serr != NULL)
return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
"could not remove a property",

25
devel/subversion/patches/patch-subversion_mod_dav_svn_liveprops_c
View File

@ -1,25 +0,0 @@
$OpenBSD: patch-subversion_mod_dav_svn_liveprops_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
CVE-2013-1849
--- subversion/mod_dav_svn/liveprops.c.orig Fri Feb 3 21:04:00 2012
+++ subversion/mod_dav_svn/liveprops.c Wed Apr 3 20:56:32 2013
@@ -429,7 +429,8 @@ insert_prop_internal(const dav_resource *resource,
svn_filesize_t len = 0;
/* our property, but not defined on collection resources */
- if (resource->collection || resource->baselined)
+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
+ || resource->collection || resource->baselined)
return DAV_PROP_INSERT_NOTSUPP;
serr = svn_fs_file_length(&len, resource->info->root.root,
@@ -453,7 +454,9 @@ insert_prop_internal(const dav_resource *resource,
svn_string_t *pval;
const char *mime_type = NULL;
- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION)
+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
+ || (resource->baselined
+ && resource->type == DAV_RESOURCE_TYPE_VERSION))
return DAV_PROP_INSERT_NOTSUPP;
if (resource->type == DAV_RESOURCE_TYPE_PRIVATE

50
devel/subversion/patches/patch-subversion_mod_dav_svn_lock_c
View File

@ -1,50 +0,0 @@
$OpenBSD: patch-subversion_mod_dav_svn_lock_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
CVE-2013-1846 and CVE-2013-1847
--- subversion/mod_dav_svn/lock.c.orig Fri Jun 3 20:09:17 2011
+++ subversion/mod_dav_svn/lock.c Wed Apr 3 20:56:32 2013
@@ -640,7 +640,20 @@ append_locks(dav_lockdb *lockdb,
svn_lock_t *slock;
svn_error_t *serr;
dav_error *derr;
+ dav_svn_repos *repos = resource->info->repos;
+
+ /* We don't allow anonymous locks */
+ if (! repos->username)
+ return dav_svn__new_error(resource->pool, HTTP_UNAUTHORIZED,
+ DAV_ERR_LOCK_SAVE_LOCK,
+ "Anonymous lock creation is not allowed.");
+ /* Not a path in the repository so can't lock it. */
+ if (! resource->info->repos_path)
+ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST,
+ DAV_ERR_LOCK_SAVE_LOCK,
+ "Attempted to lock path not in repository.");
+
/* If the resource's fs path is unreadable, we don't allow a lock to
be created on it. */
if (! dav_svn__allow_read_resource(resource, SVN_INVALID_REVNUM,
@@ -663,7 +676,6 @@ append_locks(dav_lockdb *lockdb,
svn_fs_txn_t *txn;
svn_fs_root_t *txn_root;
const char *conflict_msg;
- dav_svn_repos *repos = resource->info->repos;
apr_hash_t *revprop_table = apr_hash_make(resource->pool);
apr_hash_set(revprop_table, SVN_PROP_REVISION_AUTHOR,
APR_HASH_KEY_STRING, svn_string_create(repos->username,
@@ -741,14 +753,14 @@ append_locks(dav_lockdb *lockdb,
/* Convert the dav_lock into an svn_lock_t. */
derr = dav_lock_to_svn_lock(&slock, lock, resource->info->repos_path,
- info, resource->info->repos->is_svn_client,
+ info, repos->is_svn_client,
resource->pool);
if (derr)
return derr;
/* Now use the svn_lock_t to actually perform the lock. */
serr = svn_repos_fs_lock(&slock,
- resource->info->repos->repos,
+ repos->repos,
slock->path,
slock->token,
slock->comment,

16
devel/subversion/patches/patch-subversion_mod_dav_svn_reports_log_c
View File

@ -1,16 +0,0 @@
$OpenBSD: patch-subversion_mod_dav_svn_reports_log_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
CVE-2013-1884
--- subversion/mod_dav_svn/reports/log.c.orig Wed Jan 11 16:57:13 2012
+++ subversion/mod_dav_svn/reports/log.c Wed Apr 3 20:56:32 2013
@@ -341,10 +341,9 @@ dav_svn__log_report(const dav_resource *resource,
dav_xml_get_cdata(child, resource->pool, 1));
if (serr)
{
- derr = dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
"Malformed CDATA in element "
"\"limit\"", resource->pool);
- goto cleanup;
}
}
else if (strcmp(child->name, "discover-changed-paths") == 0)